Optical Fault Induction Attacks (original) (raw)

Abstract

We describe a new class of attacks on secure microcontrollers and smartcards. Illumination of a target transistor causes it to conduct, thereby inducing a transient fault. Such attacks are practical; they do not even require expensive laser equipment. We have carried them out using a flashgun bought second-hand from a camera store for 30andwithan30 and with an 30andwithan8 laser pointer. As an illustration of the power of this attack, we developed techniques to set or reset any individual bit of SRAM in a microcontroller. Unless suitable countermeasures are taken, optical probing may also be used to induce errors in cryptographic computations or protocols, and to disrupt the processor’s control flow. It thus provides a powerful extension of existing glitching and fault analysis techniques. This vulnerability may pose a big problem for the industry, similar to those resulting from probing attacks in the mid-1990s and power analysis attacks in the late 1990s.

We have therefore developed a technology to block these attacks. We use self-timed dual-rail circuit design techniques whereby a logical 1 or 0 is not encoded by a high or low voltage on a single line, but by (HL) or (LH) on a pair of lines. The combination (HH) signals an alarm, which will typically reset the processor. Circuits can be designed so that single-transistor failures do not lead to security failure. This technology may also make power analysis attacks very much harder too.

Chapter PDF

Similar content being viewed by others

References

1. R.J. Anderson, M.G. Kuhn, “Low Cost Attacks on Tamper Resistant Devices”, in M. Lomas et al. (ed.), Security Protocols, 5th International Workshop, Paris, France, April 7–9, 1997
   Google Scholar
2. R.J. Anderson, “Security Engineering — A Guide to Building Dependable Distributed Systems”, Wiley 2001
   Google Scholar
3. D. Boneh, R.A. DeMillo, R.J. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults, Advances in Cryptology — Eurocrypt 97”, Springer LNCS vol 1233 pp 37–51
   Google Scholar
4. D.H. Habing, “Use of Laser to Simulate Radiation-induced Transients In Semiconductors and Circuits”, IEEE Trans. Nuc. Sci., Vol NS-12, No 6, pp 91–100, Dec. 1965
   Article Google Scholar
5. A.H. Johnston, “Charge Generation and Collection in p-n Junctions Excited with Pulsed Infrared Lasers”, IEEE Trans. Nuc. Sci., Vol NS-40, No 6, pp 1694–1702, 1993
   Article MathSciNet Google Scholar
6. P. Kocher, “Differential Power Analysis”, Advances in Cryptology — Crypto 99, Springer LNCS vol 1666 pp 388–397
   Chapter Google Scholar
7. “Handbook of Optical Constants of Solids”, edited by Edward D. Palik, Orlando: Academic Press, 1985, pp 547–569
   Google Scholar
8. J.M. Rabaey, “Digital Integrated Circuits: A Design Perspective”, Prentice-Hall, 1995
   Google Scholar
9. K. Yun, “Memory”, UC San Diego, Adapted from EE271 notes, Stanford University, http://paradise.ucsd.edu/class/ece165/notes/lecC.pdf
10. J.J. Quisquater, D. Samyde, “ElectroMagnetic Analysis (EMA): Measures and Countermeasures for Smart Cards”, International Conference on Research in Smart Cards, E-smart 2001, Cannes, France, pp 200–210, Sept. 2001
    Google Scholar
11. S.W. Moore, R.J. Anderson, P. Cunningham, R. Mullins, G. Taylor, “Improving Smartcard Security using Self-Timed Circuits”, Asynch 2002, proceedings published by IEEE Computer Society Press
    Google Scholar
12. S.W. Moore, R.J. Anderson, M.G. Kuhn, “Improving Smartcard Security using Self-Timed Circuit Technology”, Fourth AciD-WG Workshop, Grenoble, ISBN 2-913329-44-6, 2000
    Google Scholar

Download references

Author information

Authors and Affiliations

1. Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, CB3 0FD, Cambridge, UK
   Sergei P. Skorobogatov & Ross J. Anderson

Authors

1. Sergei P. Skorobogatov
2. Ross J. Anderson

Editor information

Editors and Affiliations

1. RSA Laboratories, 174 Middlesex Turnpike, MA 01730, Bedford, USA
   Burton S. Kaliski
2. Oregon State University, Corvallis, 97330, Oregon, USA
   çetin K. Koç
3. Ruhr-Universität Bochum, 44780, Bochum, Germany
   Christof Paar

Rights and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Skorobogatov, S.P., Anderson, R.J. (2003). Optical Fault Induction Attacks. In: Kaliski, B.S., Koç, ç.K., Paar, C. (eds) Cryptographic Hardware and Embedded Systems - CHES 2002. CHES 2002. Lecture Notes in Computer Science, vol 2523. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36400-5\_2

Download citation

• .RIS
• .ENW
• .BIB
• DOI: https://doi.org/10.1007/3-540-36400-5\_2
• Published: 17 February 2003
• Publisher Name: Springer, Berlin, Heidelberg
• Print ISBN: 978-3-540-00409-7
• Online ISBN: 978-3-540-36400-9
• eBook Packages: Springer Book Archive

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Publish with us